3 Task 2: MITM Attack on Telnet using ARP Cache Poisoning Hosts A and B are communicating using Telnet, and Host M wants to intercept their communication, so it can make changes to the data sent between A and B. The setup is depicted in Figure 1. SEED Labs - ARP Cache Poisoning Attack Lab A: Telnet Client B: Telnet Server Telnet packet Z M: Attacker 3 Change packet payload Figure 1: Man-In-The-Middle Attack against telnet Step 1 (Launch the ARP cache poisoning attack). First, Host M conducts an ARP cache poisoning attack on both A and B, such that in A's ARP cache, B's IP address maps to M's MAC address, and in B's ARP cache, A's IP address also maps to M's MAC address. After this step, packets sent between A and B will all be sent to M. We will use the ARP cache poisoning attack from Task 1 to achieve this goal. Step 2 (Testing). After the attack is successful, please try to ping each other between Hosts A and B, and report your observation. Please show Wireshark results in your report. Step 3 (Turn on IP forwarding). Now we turn on the IP forwarding on Host M, so it will forward the packets between A and B. Please run the following command and repeat Step 2. Please describe your observation. $ sudo sysctl net.ipv4.ip_forward=1 Step 4 (Launch the MITM attack). We are ready to make changes to the Telnet data between A and B. Assume that A is the Telnet client and B is the Telnet server. After A has connected to the Telnet server on B, for every key stroke typed in A's Telnet window, a TCP packet is generated and sent to B. We would like to intercept the TCP packet, and replace each typed character with a fixed character (say Z). This way, it does not matter what the user types on A, Telnet will always display Z. From the previous steps, we are able to redirect the TCP packets to Host M, but instead of forwarding them, we would like to replace them with a spoofed packet. We will write a sniff-and-spoof program to accomplish this goal. In particular, we would like to do the following: . We first keep the IP forwarding on, so we can successfully create a Telnet connection between A to B. Once the connection is established, we turn off the IP forwarding using the following command. Please type something on A's Telnet window, and report your observation: $ sudo sysctl net.ipv4.ip_forward=0 SEED Labs - ARP Cache Poisoning Attack Lab We run our sniff-and-spoof program on Host M, such that for the captured packets sent from A to B, we spoof a packet but with TCP different data. For packets from B to A (Telnet response), we do not make any change, so the spoofed packet is exactly the same as the original one. To help students get started, we provide a skeleton sniff-and-spoof program in the following. The pro- gram capture all the TCP packets, and then for packets from A to B, it makes some changes (the modification part is not included, because that is part of the task). For packets from B to A, the program simply forward the original packets. #!/usr/bin/python3 from scapy.all import * VM_A_IP="10.0.2.6" VM_B_IP="10.0.2.7" def spoof_pkt (pkt): if pkt [IP].sr == VM_A_IP and pkt [IP].dst == VM_B_IP\ and pkt [TCP].payload: # Create a new packet based on the captured one. # (1) We need to delete the checksum fields in the IP and TCP headers, # # because our modification will make them invalid. Scapy will recalculate them for us if these fields are missing. # (2) We also delete the original TCP payload. newpkt = IP (pkt [IP]) del (newpkt.chksum) del (newpkt [TCP].chksum) del (newpkt [TCP].payload) # Construct the new payload based on the old payload. # Students need to implement this part. olddata pkt [TCP].payload.load # Get the original payload data newdata = olddata %2 No change is made in this sample code # Attach the new data and set the packet out send (newpktewdata) elif pkt [IP].src == VM_B_IP and pkt [IP].dst == VM_A_IP: send (pkt [IP]) # Forward the original packet pkt = sniff (filter='top', prn-spoof_pkt) It should be noted that the code above captures all the TCP packets, including the one generated by the program itself. That is undesirable, as it will affect the performance. Students needs to change the filter, so it does not capture its own packets. Behavior of Telnet. In Telnet, typically, every character we type in the Telnet window triggers an individ- ual TCP packet, but if you type very fast, some characters may be sent together in the same packet. That is why in a typical Telnet packet from client to server, the payload only contains one character. The character SEED Labs - ARP Cache Poisoning Attack Lab sent to the server will be echoed back by the server, and the client will then display the character in its window. Therefore, what we see in the client window is not the direct result of the typing; whatever we type in the client window takes a round trip before it is displayed. If the network is disconnected, whatever we typed on the client window will not displayed, until the network is recovered. Similarly, if attackers change the character to Z during the round trip, Z will be displayed at the Telnet client window, even though that is not what you have typed